Admin account cannot login through SSH

Support
1

What type of hardware are you using: Old laptop or computer
What YunoHost version are you running: 12.0.11
How are you able to access your server: The webadmin
SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: nope

Describe your issue

When trying to SSH to my server, whether from the local network or remotely, my admin user is rejected.
I can user root or any other user that i temporarly promoted to the admin group, no problem, and i can user my usual admin account for the webadmin too.
I use password authentication and the command ssh -pXXX user@domain.tld

Share relevant logs or error messages

Found across SSH service logs :
Failed password for invalid user username from 192.168.1.140 port 50277 ssh2
User username from 192.168.1.140 not allowed because none of user’s groups are listed in AllowGroups

2

So was it working some time in the past ? What happened since then ?

3

same here, I’m gonna restart my server now but this is in «journalctl» log

==========================
edited: NOT THE SAME ISSUE

just for the record:

I could access to my ynh connecting rasPi to a monitor; logged in as «admin-user»; checked owneship and admin-user home was owned by «root». I don’t know what I did yesterday. Most likely my fault.

Changed with chown -R admin-user:admin-user /home/admin-user/ and now I can log in with public key again.

Expecting dragons ahead though, because IDK what happened and it might reproduce again.

=========================

ip and user edited

yesterday I was playing with fail2ban so it might be related. I now can access to admin web interface with admin-user (not «admin», «ghose» set as admin since migration) as I regulary do with ssh-key but now key is not accesible (permission).

in this log «Admin» tries to access :thinking: Who’s Admin?

edit: latest YNH in a raspi at home.

Mar 14 06:34:01 sshd[41294]: Connection from 192.168.0.15 port 48920 on 192.168.0.10 port xxxx rdomain ""
Mar 14 06:34:01 sshd[41294]: Could not open user 'ghose' authorized keys '/home/ghose/.ssh/authorized_keys': Permission denied
Mar 14 06:34:01 sshd[41294]: Could not open user 'ghose' authorized keys '/home/ghose/.ssh/authorized_keys2': Permission denied
Mar 14 06:34:01 sshd[41294]: Failed publickey for ghose from 192.168.0.15 port 48920 ssh2: ED25519 SHA256:5aeU1OEVdkZ3rrq/M80xxxxxxxxxxxxxxxxxxxxxFS7CQck2l9UEPM
Mar 14 06:34:01 sshd[41294]: Connection closed by authenticating user ghose 192.168.0.15 port 48920 [preauth]
Mar 14 06:34:05 sshd[41296]: Connection from 92.xxxx.xxx.253 port 59212 on 192.168.0.10 port xxxx rdomain ""
Mar 14 06:34:05 sshd[41296]: Invalid user Admin from 92.xxxx.xxxx.253 port 59212
Mar 14 06:34:05 sshd[41296]: Connection reset by invalid user Admin 92.255.85.253 port 59212 [preauth]
Mar 14 06:34:05 sshd[41299]: Connection from 92.255.xxx.53 port 59214 on 192.168.0.10 port xxxx rdomain ""
Mar 14 06:34:06 sshd[41299]: Connection reset by authenticating user root 92.255.xxx.xx port 59214 [preauth]
Mar 14 06:34:06 sshd[41301]: Connection from 92.255.xxx.xx port 59224 on 192.168.0.10 port xxxx rdomain ""
Mar 14 06:34:06 sshd[41301]: Connection reset by authenticating user root 92.255.xxx.xx port 59224 [preauth]
Mar 14 06:34:07 sshd[41303]: Connection from 92.255.xxx.xx port 59228 on 192.168.0.10 port xxxx rdomain ""
Mar 14 06:34:07 sshd[41303]: Connection reset by authenticating user root 92.255.xxx.xx port 59228 [preauth]
Mar 14 06:34:07 sshd[41308]: Connection from 92.255.xxx.xx port 59232 on 192.168.0.10 port xxxx rdomain ""
Mar 14 06:34:08 sshd[41308]: Invalid user monitor from 92.255.xxx.xxx port 59232
Mar 14 06:34:08 sshd[41308]: Connection reset by invalid user monitor 92.255.xxx.xxxx port 59232 [preauth]

I don’t know about that 92.255… ip, it might be from VPN used in my laptop (I have not checked).

«xxxx» port is ssh port, I changed this from ages, without issues.

reboot…

…and back, without changes :frowning:

Could not open user 'ghose' authorized keys '/home/ghose/.ssh/authorized_keys': Permission denied

IDK how/why I have changed this (if it was me). How can I chown it back if I have no ssh access?

“diagnose” section in webinterface shows no errors in config section, port xxxx accesible from outside too.

:pensive_face: I’m gonna plug my raspi to a keyboard andscreen

4

Well i’m not even sure it even worked at some point, but i worked around it by using root for some time so i did not bother to remember.

My current server was built on a clean install with restored backups (apps and config) from my previous old machine on top… SSH on the old one worked perfectly.

Maybe something went wrong along the way ?

5

Mokay so if you’re able to still login as root (from the local network ?) you should be able to run groups <username> to double-check that the user is in the admins group

Also we should double check that the admins group is allowed to connect on ssh … something like grep admins /etc/ssh/sshd_config should find the corresponding line … Or another way is to check the ssh conf is up to date with the recommendation from yunohost using yunohost tools regen-conf ssh --dry-run --with-diff

6

Well SSH conf is alright but i might have found something : my user is not in the admins group.
BUT sudo usermod -a -G admins myusername does not do anything and my user won’t be added to the admins group…

Even weirder : getent group admins shows my username, groups myusername does not show admins. No matter what i try (web admin or CLI) i cannot seem to be able to add this particular user to the admins group.

7

Yes, that’s an LDAP group, the easiest way to add your user is to add it to the username from the yunohost webadmin, or cf yunohost user group --help command

8

No effect : i am already listed, when deleting and adding me back it does not change the ssh behavior. But adding another user to the admins group grants him ssh privilege.

yunohost user group add admins agbv

User agbv is already in group admins, but we don't want him to ssh into his server
Ok i invented that last part.